PatchSiren cyber security CVE debrief
CVE-2026-41715 Spring CVE debrief
CVE-2026-41715 is a medium-severity vulnerability (CVSS Score: 6.1) affecting Reactor Netty's HTTP client. In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. This can occur only when the HTTP client has been explicitly configured to follow redirects. Affected versions include Reactor Netty 1.0.0 through 1.0.51, 1.1.0 through 1.1.35, 1.2.0 through 1.2.17, and 1.3.0 through 1.3.5.
- Vendor
- Spring
- Product
- Reactor Netty
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of Reactor Netty, particularly those who have explicitly configured their HTTP client to follow redirects, should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability arises from Reactor Netty's handling of HTTP redirects. When the client is configured to follow redirects and encounters a redirect from a secure to an insecure endpoint, it may inadvertently leak credentials.
Defensive priority
Medium
Recommended defensive actions
- Update to a non-vulnerable version of Reactor Netty.
- Review and adjust HTTP client configurations to avoid following redirects to insecure endpoints.
Evidence notes
The CVE record and details are sourced from official databases and vendor notifications.
Official resources
-
CVE-2026-41715 CVE record
CVE.org
-
CVE-2026-41715 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-41715 was published on 2026-06-09T05:16:35.263Z and modified on 2026-06-09T13:49:39.993Z.